Analysis of Adversarial Code: The role of Malware Kits ! Software components written mostly in PHP which allows automatic installation of malware by exploiting unpatched vulnerabilities in the system. Uses web browser as the attack vector Regular updates to the malware kit by updating the exploit base and improving the management and reporting capabilities. Most malware kits are sold commercially through underground channels (Forums & IRC) Introduction: What are Malware Kits (Exploit Driven)?

Software components written mostly in PHP which allows automatic installation of malware by exploiting unpatched vulnerabilities in the system.

Uses web browser as the attack vector

Regular updates to the malware kit by updating the exploit base and improving the management and reporting capabilities.

Most malware kits are sold commercially through underground channels (Forums & IRC)

Analysis of Adversarial Code: The role of Malware Kits ! Ability to identify the remote operating system, browser type and version, geography and send exploits accordingly. Probability of successful infection is more when multiple exploits are used against dissimilar targets. Efficiency of Attack, Statistics about the infected Operating system, browser, exploits could be gathered Some kits like Icepack allow for automatic injection of malicious iframes into multiple websites widening the chances of infection. Introduction: Why Malware Kits are popular?

Popularly adopted by Nuwar a.k.a. Storm worm which built a massive botnet of infected computers (zombies)

Analysis of Adversarial Code: The role of Malware Kits ! Hackers compromise ~10,000 websites which pointed to malicious links hosting Mpack. Believed to have exploited a vulnerability in CPanel Popular Incidents: The Italian Job

Analysis of Adversarial Code: The role of Malware Kits ! Injected malicious script into the webpage. The installed malware included a cocktail of Downloader and Dropper Trojans. Popular Incidents: IndiaTimes Hack

Injected malicious script into the webpage.

The installed malware included a cocktail of Downloader and Dropper Trojans.

Analysis of Adversarial Code: The role of Malware Kits ! PHP based malware kit produced by Russian Hackers. Sold for around $700 - $1000 with additional costs for updates The tool gets initiated when index.php hosted on a server is accessed by a user. This file determines the browser and operating system of the incoming user. Based on the browser type and operating system a web exploit is served to the user's machine. Post the successful exploitation, a payload file is sent to the user’s machine and automatically executed. MPACK

PHP based malware kit produced by Russian Hackers.

Sold for around $700 - $1000 with additional costs for updates

The tool gets initiated when index.php hosted on a server is accessed by a user.

This file determines the browser and operating system of the incoming user.

Based on the browser type and operating system a web exploit is served to the user's machine.

Post the successful exploitation, a payload file is sent to the user’s machine and automatically executed.

Analysis of Adversarial Code: The role of Malware Kits ! MPACK Architecture

Analysis of Adversarial Code: The role of Malware Kits ! Logs the Operating system and browser statistics. Logs the number of attacks and efficiency according to IP address and geography. Software could be configured to send exploit only once which could hinder analysis by researchers Blocking country according to the predefined 2 letter country codes Image Source: VirusTotal Blog MPACK Control Panel

Logs the Operating system and browser statistics.

Logs the number of attacks and efficiency according to IP address and geography.

Software could be configured to send exploit only once which could hinder analysis by researchers

Blocking country according to the predefined 2 letter country codes Image Source: VirusTotal Blog

Analysis of Adversarial Code: The role of Malware Kits ! ICEPACK Architecture

Analysis of Adversarial Code: The role of Malware Kits ! ICEPACK Control Panel

Analysis of Adversarial Code: The role of Malware Kits ! Analyzing Obfuscated Code

Analysis of Adversarial Code: The role of Malware Kits ! Most of the code obfuscation techniques are composed of two parts: Encrypted string Decryptor This process may be repeated several times, the decrypted string may contain another string to be decrypted. The level of decryption loop varies based on the algorithm. Code Obfuscation

Most of the code obfuscation techniques are composed of two parts:

Encrypted string

Decryptor

This process may be repeated several times, the decrypted string may contain another string to be decrypted.

The level of decryption loop varies based on the algorithm.

Analysis of Adversarial Code: The role of Malware Kits ! Place hooks on the commonly used methods such as document.write document.writeln eval Redirect them to a log window instead of execution, where the data can be conveniently interpreted. Using hostilejsdebug to de-obfuscate scripts. How De-obfuscation works?

Place hooks on the commonly used methods such as

document.write

document.writeln

eval

Redirect them to a log window instead of execution, where the data can be conveniently interpreted.

Decryptor is encoded and the decoded function evaluates encrypted string

The above spammed mail delivers exploit MS06-014 vulnerability.

Analysis of Adversarial Code: The role of Malware Kits ! Polymorphic worm which has Javascript and Vbscript components. Harvests mail from the machine and sends itself using its own SMTP engine Injects a ZIP attachment containing a copy of the worm into outgoing SMTP sessions. Drops rootkit component, opens backdoor, drops copy of the worm into p2p folders Feebs Worm

Polymorphic worm which has Javascript and Vbscript components.

Harvests mail from the machine and sends itself using its own SMTP engine

Injects a ZIP attachment containing a copy of the worm into outgoing SMTP sessions.

Analysis of Adversarial Code: The role of Malware Kits ! How Browser Exploits Work?

Analysis of Adversarial Code: The role of Malware Kits ! The exploit is delivered to a user’s browser via an iframe on a compromised /malicious web page. The iframe contains JavaScript to instantiate an ActiveX object with CLSID {BD96C556-65A3-11D0-983A-00C04FC29E36} The Javascript makes an AJAX XMLHTTP request to download an executable. Adodb.stream is used to write the executable to disk. Shell.Application is used to launch the newly written executable. MDAC Exploit – MS06-014

The exploit is delivered to a user’s browser via an iframe on a compromised /malicious web page.

The iframe contains JavaScript to instantiate an ActiveX object with

CLSID {BD96C556-65A3-11D0-983A-00C04FC29E36}

The Javascript makes an AJAX XMLHTTP request to download an executable.

Adodb.stream is used to write the executable to disk.

Shell.Application is used to launch the newly written executable.

Analysis of Adversarial Code: The role of Malware Kits ! State of the art in browser exploitation – developed by SkyLined in 2004. System heap accessible from JavaScript Code Heap Spray Exploit

State of the art in browser exploitation – developed by SkyLined in 2004.

System heap accessible from JavaScript Code

Analysis of Adversarial Code: The role of Malware Kits ! What Microsoft had to say? “ A remote code execution vulnerability exists in the way that Windows handles cursor, animated cursor, and icon formats. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution” – ms07-017 Related vulnerability reported by eeye in 2005. Vulnerability in LoadCursorIconFromFileMap() function in user32.dll Caused due to improper bound checking while reading the structure. Background: ANI Vulnerability

What Microsoft had to say?

“ A remote code execution vulnerability exists in the way that Windows handles cursor, animated cursor, and icon formats. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution” – ms07-017

Related vulnerability reported by eeye in 2005.

Vulnerability in LoadCursorIconFromFileMap() function in user32.dll

Caused due to improper bound checking while reading the structure.

Analysis of Adversarial Code: The role of Malware Kits ! ANI file format is used for storing animated cursors Based on RIFF multimedia file format Each chunk starts with a 4 byte ASCII tag, followed by a dword specifying the size of the data contained in the chunk. One of the chunks in an ANI file is the anih chunk, which contains a 36-byte animation header structure. &quot;anih&quot; {(DWORD)Length_of_AnimationHeader} {AnimationHeaderBlock} The vulnerable code did not validate the length of the anih chunk before reading the chunk data into fixed size buffer on the stack. Defining the Vulnerability: ANI File Format

ANI file format is used for storing animated cursors

Based on RIFF multimedia file format

Each chunk starts with a 4 byte ASCII tag, followed by a dword specifying the size of the data contained in the chunk.

One of the chunks in an ANI file is the anih chunk, which contains a 36-byte animation header structure.

Banking Trojan DRIDEX Uses Macros for Infection

FSP forensic science? - Centre for Learning Technology ...

FSP03 what is forensic science? Teacher background information What is forensic science? Definition Forensics is the term given to an investigation of aRead more

These presentations are classified and categorized, so you will always find everything clearly laid out and in context.
You are watching Analysis Of Adverarial Code - The Role of Malware Kits presentation right now. We are staying up to date!